CVE-2020-15708 - Vulnerability Details - OpenCVE

Description

Ubuntu's packaging of libvirt in 20.04 LTS created a control socket with world read and write permissions. An attacker could use this to overwrite arbitrary files or execute arbitrary code.

Published: 2020-11-06

Score: 9.3 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Ubuntu

libvirt

affected

Version	Status	Constraints
`unspecified`	affected	< 6.0.0-0ubuntu8.3

Configuration 1 [-]

cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2020-7694	Ubuntu's packaging of libvirt in 20.04 LTS created a control socket with world read and write permissions. An attacker could use this to overwrite arbitrary files or execute arbitrary code.
Ubuntu USN	USN-4452-1	libvirt vulnerability

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00153.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2020-15708
https://usn.ubuntu.com/usn/usn-4452-1
https://www.cve.org/CVERecord?id=CVE-2020-15708

History

No history.

Subscriptions

Canonical Ubuntu Linux

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2020-11-06T01:40:13.864Z

Updated: 2024-09-16T17:37:51.206Z

Reserved: 2020-07-14T00:00:00.000Z

Link: CVE-2020-15708

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-11-06T02:15:12.050

Modified: 2024-11-21T05:06:04.217

Link: CVE-2020-15708

Redhat

Severity : Moderate

Publid Date: 2020-08-04T00:00:00Z

Links: CVE-2020-15708 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-732

{"containers": {"cna": {"affected": [{"product": "libvirt", "vendor": "Ubuntu", "versions": [{"lessThan": "6.0.0-0ubuntu8.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Trent Shea"}], "datePublic": "2020-08-04T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Ubuntu's packaging of libvirt in 20.04 LTS created a control socket with world read and write permissions. An attacker could use this to overwrite arbitrary files or execute arbitrary code."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-06T01:40:13.000Z", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://usn.ubuntu.com/usn/usn-4452-1"}], "source": {"advisory": "https://usn.ubuntu.com/usn/usn-4452-1", "discovery": "EXTERNAL"}, "title": "Libvirt Service Arbitrary File Write Privilege Escalation Vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@ubuntu.com", "DATE_PUBLIC": "2020-08-04T00:00:00.000Z", "ID": "CVE-2020-15708", "STATE": "PUBLIC", "TITLE": "Libvirt Service Arbitrary File Write Privilege Escalation Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "libvirt", "version": {"version_data": [{"version_affected": "<", "version_value": "6.0.0-0ubuntu8.3"}]}}]}, "vendor_name": "Ubuntu"}]}}, "credit": [{"lang": "eng", "value": "Trent Shea"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Ubuntu's packaging of libvirt in 20.04 LTS created a control socket with world read and write permissions. An attacker could use this to overwrite arbitrary files or execute arbitrary code."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-732 Incorrect Permission Assignment for Critical Resource"}]}]}, "references": {"reference_data": [{"name": "https://usn.ubuntu.com/usn/usn-4452-1", "refsource": "MISC", "url": "https://usn.ubuntu.com/usn/usn-4452-1"}]}, "source": {"advisory": "https://usn.ubuntu.com/usn/usn-4452-1", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:22:30.657Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://usn.ubuntu.com/usn/usn-4452-1"}]}]}, "cveMetadata": {"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2020-15708", "datePublished": "2020-11-06T01:40:13.864Z", "dateReserved": "2020-07-14T00:00:00.000Z", "dateUpdated": "2024-09-16T17:37:51.206Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Ubuntu's packaging of libvirt in 20.04 LTS created a control socket with world read and write permissions. An attacker could use this to overwrite arbitrary files or execute arbitrary code."}, {"lang": "es", "value": "El paquete de Ubuntu de libvirt en versi\u00f3n 20.04 LTS cre\u00f3 un socket de control con permisos de lectura y escritura mundial. Un atacante podr\u00eda utilizar esto para sobrescribir archivos arbitrarios o ejecutar c\u00f3digo arbitrario"}], "id": "CVE-2020-15708", "lastModified": "2024-11-21T05:06:04.217", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 6.0, "source": "security@ubuntu.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-06T02:15:12.050", "references": [{"source": "security@ubuntu.com", "tags": ["Vendor Advisory"], "url": "https://usn.ubuntu.com/usn/usn-4452-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://usn.ubuntu.com/usn/usn-4452-1"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "security@ubuntu.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "libvirt: incorrect permissions on the UNIX domain socket allows local attacker to escalate privileges", "id": "1866270", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866270"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-732", "details": ["Ubuntu's packaging of libvirt in 20.04 LTS created a control socket with world read and write permissions. An attacker could use this to overwrite arbitrary files or execute arbitrary code.", "A flaw was found in libvirt, where an incorrect permissions issue occurs on the UNIX domain socket. This flaw allows a local attacker to access libvirt and escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, and system availability."], "name": "CVE-2020-15708", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "libvirt", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "libvirt", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "libvirt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "virt:rhel/libvirt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Not affected", "package_name": "virt:8.2/libvirt", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Not affected", "package_name": "virt:8.3/libvirt", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "libvirt", "product_name": "Red Hat Storage 3"}], "public_date": "2020-08-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-15708\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-15708"], "statement": "This is an Ubuntu specific flaw. The versions of `libvirt` as shipped with Red Hat Enterprise Linux and RHEL Advanced Virtualization are not affected by this issue, as they leverage `polkit` for authentication. More specifically, the socket permission is 0666, and when an unprivileged user connects, `polkit` will validate the client and require them to provide the root password before `libvirt` allows any RPC calls to be performed.", "threat_severity": "Moderate"}